Posted on 05-18-2015 08:19 AM
Hello Fellow JAMFers!
I have been trying to get HTTPS downloads to work on our Ubuntu DP for a while now and it just doesn't seem to work. This is the same server that hosts our JSS, so it has tomcat enabled and running JSS 9.7 on port 8443 with no issues.
All the instructions i have seen online have instructed me to setup a self-signed cert with apache2 on the server. So, I have created a self-signed cert and can connect directly via https URL in a web-browser with no issues (I do get an untrusted screen initially), however when I run a policy it fails. The error I get is : NSURLConnection/CFURLConnection HTTP load failed (kCFStreamErrorDomainSSL, -9812)
If I check the apache2 log on my ubuntu box, i see no errors. Also, HTTP on port 80 works fine as expected.
My questions are... Do I need to somehow setup the DP using the self-signed cert my JSS is currently using (via tomcat)? Was it wrong to set this up on the same server as my JSS?
Overall, am looking for any help on how to get this to work, it's driving me crazy!
Thanks! skoonin
Posted on 05-18-2015 08:35 AM
While connecting to an https: URL through my browser would work after I accepted the self signed cert, I could not get the JSS to work with a self signed cert for an HTTPS DP, once I put on a real entrust cert it started working. My best guess is the cert fails inspection from the jamf binary and you don't have a way to say add exception to the jamf binary for downloading from a self signed server.
Posted on 05-18-2015 08:38 AM
@nessts Thanks, yea it looks that way. If I trust the cert first on the computer, the policy installs over https. Unfortunately my company doesn't have a trusted cert.
If you, or anyone knows, is there any way to somehow use the JSS cert for a DP? Maybe I can export/copy it over to apache2?
Posted on 05-18-2015 08:47 AM
I tried exporting the JSS cert too, it did not help until I got a real certificate. I think if you need HTTPS DP then you need to pony up for a real cert. I assume its a security concern that is driving you HTTPS, if so somebody should be able to come up with 200 for a certificate I would think.
Posted on 05-18-2015 08:57 AM
@nessts ah ok, glad you saved me the headache of looking into the export method! will see about the cert then.
thanks
Posted on 05-18-2015 09:41 AM
Spend the $10 on a real cert. Self-signed is often more trouble than it's worth and it's only as secure as some random stranger on a sidewalk saying, "Hey buddy. You can trust me."
Posted on 05-21-2015 06:18 AM
just to close the loop on this thread, I managed to get SSL working pretty easily once I got a valid certificate. The issue I ran into after that was that some files would randomly fail to install. JSS would say that the file could not be verified, even though it installed fine over SMB/AFP and when accessed directly from a browser. Once, I turned of file verification in JSS, everything works as expected!